topic Re: Slave DNS server failed to access zone in Operating System - Linux

Slave DNS server failed to access zone

Maaz — Sat, 22 Apr 2006 13:00:48 GMT

OS: rhel 4
Master DNS server IP: 192.168.0.9
Slave DNS server IP: 192.168.0.8

I have configure Master DNS server, its working fine.
On Master server:
/etc/named.conf
zone "test.com" IN {
type master;
file "test.com.frwd";
};
# ls -dl /var/named/chroot/var/named/
drwxr-x--- 4 root named 4096 Apr 11 16:03 /var/named/chroot/var/named/

# ls -dl /var/named/chroot/var/named/slaves/
drwxrwx--- 2 named named 4096 Jul 27 2004 /var/named/chroot/var/named/slaves/

On Slave Server:
/etc/named.conf
zone "test.com" IN {
type slave;
file "test.com.frwd";
masters {192.168.0.9;};
};
# ls -dl /var/named/chroot/var/named/
drwxr-x--- 4 root named 4096 Apr 11 16:03 /var/named/chroot/var/named/

# ls -dl /var/named/chroot/var/named/slaves/
drwxrwx--- 2 named named 4096 Jul 27 2004 /var/named/chroot/var/named/slaves/

Slave server failed to download the zone file from master file

On Master server
tail -f /var/log/messages
April 22 18:13:13 ns1 named[2343]:zone test.com/IN: Sending notifies serial 1997022700)
April 22 18:13:13 ns1 named[2343]:client 192.168.0.8#1027: transfer of 'test.com/IN': AXFR started

On Slave server
tail -f /var/log/messages
April 22 18:13:13 ns2 named[2438]: received notify for zone 'test.com'
April 22 18:13:13 ns2 named[2438]:dumping master file: tmp-XXXXo5lyZp: open: permission denied
April 22 18:13:13 ns2 named[2438]:transfer of 'test.com/IN' from 192.168.0.9#53: failed while receiving responses: permission denied
April 22 18:13:13 ns2 named[2438]: transfer of 'testing.com/IN' from 192.168.0.9#53: end of transfer

Plz help
Regards
Maaz

Re: Slave DNS server failed to access zone

Manuel Wolfshant — Sat, 22 Apr 2006 20:54:17 GMT

The error simply says that named on the slave computer is not allowed to write the zone file on the disk.
Make sure you are really using the folder you think you are. It looks to me that you also need write permissions in a temporary folder below the chroot, probably /var/named/chroot/var/tmp.

Did you install bind-chroot ?

Re: Slave DNS server failed to access zone

Maaz — Sun, 23 Apr 2006 01:59:07 GMT

Thanks Dear Manuel Wolfshant for the reply/help.
Tomorow, I'll check the permission on /././tmp, and then I'll let u know

bind-chroot, yes ... I think its the default in rhel4
Regards
Maaz

Re: Slave DNS server failed to access zone

Steven E. Protter — Sun, 23 Apr 2006 02:07:57 GMT

On the master:

allow-transfer { localhost; 233.29.17.13; 19.146.119.223;};

This should permit transfer, otherwise unauthorized attempts to be slave servers will fail.

It keeps people from messing with you and setting up phishing sites and such.

SEP

Re: Slave DNS server failed to access zone

Maaz — Sun, 23 Apr 2006 02:22:43 GMT

Thanks for reply SEP
I even did the following
On Master server:
/etc/named.conf
zone "test.com" IN {
type master;
file "test.com.frwd";
allow-update {192.168.0.8;};
};

But prblms remain.
I'll follow ur instruction and will let u know tomorow.

Re: Slave DNS server failed to access zone

Steven E. Protter — Sun, 23 Apr 2006 06:26:43 GMT

Shalom,

You need to restart named

service named restart

All this data is cached in memory and you have to force the change.

Also may be needed to update the zone record serial number of the master of the domain.

SEP

Re: Slave DNS server failed to access zone

Manuel Wolfshant — Sun, 23 Apr 2006 10:17:37 GMT

Dear gentlemen, please allow me two small corrections:

issue one: "allow update" placed in a zone definition on the master server would allow it to RETRIEVE the zone (actually to have it UPDATED) from the slave. this is NOT what you want. It is only useful for dynamic DNS updates, when a slave zone is modified and the master must be informed. What you would want would be allow-transfer, which allows the slave to issue the XFER command (aka transfer the entire zone at once, not just individual records, as allow-query permits)
Taking into account the message which started the thread, that is:
"April 22 18:13:13 ns1 named[2343]:client 192.168.0.8#1027: transfer of 'test.com/IN': AXFR started" it is obvious that this step has already been taken care of.
Mr. Protter's suggestion to explicitely allow zone transfers to those who should be allowed to do it and only allow queries to the rest of the world (denying AXFR) is excellent from a security point of view.
However, the error message is:
"April 22 18:13:13 ns2 named[2438]:dumping master file: tmp-XXXXo5lyZp: open: permission denied"
which clearly indicates a write permission error on the local filesystem. It has NOTHING to do with bind or zone settings.

issue two: no need to RESTART the server when you update a zone. The correct method is to use "rndc reload zone", or maybe "rndc reload" if you have several zones that need updates. Whenever you use restart, you loose ALL the cached data. Which might not be important for small servers but do impose a penalty on large servers.

Re: Slave DNS server failed to access zone

Maaz — Sun, 23 Apr 2006 12:44:23 GMT

Thanks Mr Manuel Wolfshant for continous help and explanations... really nice explanations

Regards
Maaz

Re: Slave DNS server failed to access zone

Maaz — Mon, 24 Apr 2006 14:25:19 GMT

On Master/Slave servers

# ls -l /var/named/chroot/
total 24
drwxrwxr-- 2 root named 4096 Dec 26 01:40 dev
drwxrwx--- 2 root named 4096 Dec 26 01:40 etc
drwxrwx--- 5 root named 4096 Dec 26 01:40 var

# ls -l /var/named/chroot/var/
total 24
drwxr-x--- 4 root named 4096 Apr 23 17:33 named
drwxrwx--- 3 root named 4096 Dec 26 01:40 run
drwxrwx--- 2 named named 4096 Mar 14 2003 tmp

# ls -ld /var/named/chroot/var/named/slaves/
drwxrwx--- 2 named named 4096 Jul 27 2004 /var/named/chroot/var/named/slaves/

Regards
Maaz

Re: Slave DNS server failed to access zone

Manuel Wolfshant — Mon, 24 Apr 2006 16:26:59 GMT

Please be as kind as to edit the zone file on your slave and replace
type slave;
file "test.com.frwd";
with
type slave;
file "slaves/test.com.frwd";

For the moment you are trying to write the zone file in /var/named/chroot/var/named/ where named does not have write access.

Re: Slave DNS server failed to access zone

Maaz — Tue, 25 Apr 2006 12:37:31 GMT

Dear Manuel Wolfshant Thanks for help/suport.

>For the moment you are trying to write the zone file >in /var/named/chroot/var/named/ where named does not have write access

then what should I do ?
Regards
Maaz

Re: Slave DNS server failed to access zone

Manuel Wolfshant — Tue, 25 Apr 2006 12:41:17 GMT

Please reread the begining of my previous reply

Re: Slave DNS server failed to access zone

Maaz — Wed, 26 Apr 2006 12:40:05 GMT

Many Thanks Dear Mr Manuel Wolfshant for such nice help/support/explanations ;)

Thanks SEP for reply.

Regards
Maaz